Skip to main content

Scan GCP Instances Using Snapshots

cnspec can assess the security of a GCP instance without affecting your production workload. It creates a snapshot of the instance, scans that snapshot, and then removes it.

To snapshot scan a GCP instance, you create a VM instance and scan from that VM. The VM instance from which you scan must have adequate permissions.

Set up permissions for snapshot scanning

To create and scan a snapshot of a GCP instance, you must create a service account for the VM instance from which you execute the snapshot scan. The service account you create needs specific permissions, which you provide using a custom role.

  1. In the Google Cloud console, create a new role named cnspec-snapshot-scanner with these permissions:

    • compute.disks.create
    • compute.disks.createSnapshot
    • compute.disks.delete
    • compute.disks.get
    • compute.disks.setLabels
    • compute.disks.use
    • compute.disks.useReadOnly
    • compute.instances.attachDisk
    • compute.instances.detachDisk
    • compute.instances.get
    • compute.snapshots.create
    • compute.snapshots.get
    • compute.snapshots.list
    • compute.snapshots.useReadOnly
    • compute.zoneOperations.get

    To learn how, read Grant an IAM role by using the Google Cloud console in the GCP documentation.

  2. In the Google Cloud console, create a new service account and assign it these roles:

    • cnspec-snapshot-scanner
    • Service Account User

    To learn how, read Create service accounts in the GCP documentation.

Create a VM from which to run a cnspec snapshot scan

In the Google Cloud console, create a new VM instance using the service account you created in the previous steps. To learn how, read Create a VM that uses a user-managed service account in the GCP documentation.


You can create a VM instance template to make it easier to spin up VM instances for snapshot scanning. To learn how, read Create instance templates in the GCP documentation.

Create, scan, and destroy a snapshot

Connect to the VM instance you created in the steps above and then run:

cnspec scan gcp instance INSTANCE-NAME --project-id PROJECT-ID --zone INSTANCE-ZONE


cnspec scan gcp instance lunalectric-rover --project-id rover-123 --zone us-central1-a

Scan an existing snapshot

cnspec lets you scan a specific, existing snapshot. This gives you insight into the instance's state at a particular point in time. You can also use the data to assess change over a span of time.

To scan an existing snapshot, you must be logged into the instance.

cnspec scan gcp snapshot SNAPSHOT-NAME --project-id PROJECT-ID


cnquery scan gcp snapshot suse12 --project-id rover-123

Next step

Learn how you can Build Secure VM Images in Google Cloud with cnspec and HashiCorp Packer.